[PATCH] Allow duplicate non local objectSIDs

Andrew Bartlett abartlet at samba.org
Thu Nov 30 20:04:34 UTC 2017 

On Thu, 2017-11-30 at 09:03 +0100, Stefan Metzmacher via samba-
technical wrote:
> Hi Gary,
> 
> are we sure we only have to care about the local domain sid?

As background to this patch:

I'm pretty sure windows has no concept of a unique index.  I've been
asked before to allow a duplicate objectGUID into Samba, and clearly
duplicate objectSid values are possible in general because we see them
with deleted and conflicting objects.

So, the simple patch is just to remove uniqueness:

https://attachments.samba.org/attachment.cgi?id=13522

However, given the things that Samba administrators often do with their
domains, injecting manually created SID values, theft of RID manager
roles, etc, I'm very wary of allowing duplicate SID values for our own
domain.  

So, in hoping to avoid a security débâcle at some important
installation in the future, my hope was to still ban at the LDB index
level objectSID duplication for users/groups (which, given proper RID
allocation should be impossible) while allowing conflict objects for
foreignSecurityPrincipals. 

> At least I read somewhere that the automatic creation of
> foreignSecurityPrincipal objects (which we don't support yet)
> is only done if the domain sid is not known anywhere in the forest.
> 
> Can you please check in a windows forest if it's possible to
> create a foreignSecurityPrincipal with an already existing sid
> from a different domain in the forest, as well as
> a non-existing sid, with a known domain sid part but a not yet used rid.
> 
> The same test should be done with the local domain sid.

These are useful things to explore.  It certainly would be good to lock
this down a bit more, and not allow duplicates to be created in our
domain in the way Gary currently exploits for his testing. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171201/d1f860a8/signature.sig>

More information about the samba-technical mailing list